Splunk® Enterprise

Getting Data In

Download manual as PDF

Splunk version 4.x reached its End of Life on October 1, 2013. Please see the migration information.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Use the CLI

Monitor files and directories via Splunk's Command Line Interface (CLI). To use Splunk's CLI, navigate to the $SPLUNK_HOME/bin/ directory and use the splunk command in that directory.

If you get stuck, Splunk's CLI has built-in help. Access the main CLI help by typing splunk help. Individual commands have their own help pages as well -- type splunk help <command>.

CLI commands for input configuration

The following commands are available for input configuration via the CLI:

Command Command syntax Action
add monitor add monitor <source> [-parameter value] ... Monitor inputs from <source>.
edit monitor edit monitor <source> [-parameter value] ... Edit a previously added monitor input for <source>.
remove monitor remove monitor <source> Remove a previously added monitor input for <source>.
list monitor list monitor List the currently configured monitor inputs.
add oneshot add oneshot <source> [-parameter value] ... Copy the file <source> directly into Splunk. This uploads the file once, but Splunk does not continue to monitor it.
spool spool <source> Copy the file <source> into Splunk via the sinkhole directory. This command is similar to add oneshot, except that the file gets spooled from the sinkhole directory, rather than added immediately.

Change the configuration of each data input type by setting additional parameters. Parameters are set via the syntax: -parameter value.

Note: You can only set one -hostname, -hostregex or -hostsegmentnum per command.

Parameter Required? Description
<source> Yes Path to the file or directory to monitor/upload for new input.

Note: Unlike the other parameters, the syntax for this parameter is just the value itself and is not preceded by a parameter flag: "<source>", not "-source <source>".

sourcetype No Specify a sourcetype field value for events from the input source.
index No Specify the destination index for events from the input source.
hostname or host No Specify a host name to set as the host field value for events from the input source.

Note: These are functionally equivalent.

hostregex or host_regex No Specify a regular expression to use to extract the host field value from the source key.

Note: These are functionally equivalent.

hostsegmentnum or host_segment No An integer, which determines what "/" separated segment of the path to set as the host field value. If set to 3, for example, the third segment of the path is used.

Note: These are functionally equivalent.

rename-source No Specify a value for the "source" field to be applied to data from this file.
follow-only No Set to "true" or "false". Default is "false".

When set to "true", Splunk reads from the end of the source (like the "tail -f" Unix command).

Note: This parameter is not available for add oneshot.

Example 1: Monitor files in a directory

The following example shows how to monitor files in /var/log/.

Add /var/log/ as a data input:

./splunk add monitor /var/log/ 

Example 2: Monitor windowsupdate.log

The following example shows how to monitor the Windows Update log (where Windows logs automatic updates), sending the data to an index called "newindex".

Add C:\Windows\windowsupdate.log as a data input:

./splunk add monitor C:\Windows\windowsupdate.log -index newindex

Example 3: Monitor IIS logging

This example shows how to monitor the default location for Windows IIS logging.

Add C:\windows\system32\LogFiles\W3SVC as a data input:

./splunk add monitor c:\windows\system32\LogFiles\W3SVC 

Example 4: Upload a file

This example shows how to upload a file into Splunk. Unlike the previous examples, Splunk only consumes the file once; it does not continuously monitor it.

Upload /var/log/applog directly into Splunk with the add oneshot command:

./splunk add oneshot /var/log/applog

You can also upload a file via the sinkhole directory with the spool command:

./splunk spool /var/log/applog

The result is the same with either command.

PREVIOUS
Use Splunk Web
  NEXT
Edit inputs.conf

This documentation applies to the following versions of Splunk® Enterprise: 4.3, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.3.7, 5.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.0.9, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0.15, 5.0.16, 5.0.17, 5.0.18


Comments

Regarding Windows Update log monitoring, I would suggest using the correct case:<br />C:\Windows\WindowsUpdate.log<br />This is the correct file name casing and adding via the GUI will use this casing.<br />This can help avoid duplicates as it seems Splunk would display the sources as 2 seperate sources if the casing is different.

Yuvalba
June 30, 2013

Will oneshot or spool create duplicate events if part of the log file has been previously indexed? In my situation, there is a 6 day gap (while logs were being indexed into the wrong index). Naturally, this gap starts mid day and ends mid day. Log rotation being daily, means part of the first and last day of the gap have already been indexed. I'd prefer not to have to manually modify the log files before adding them in. (ps - tried using collection command to move from index to index, but there was just too much data)

Sberg
December 24, 2012

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters